/523840 

YpVQ^ Rec'd PCT/PTO 0 8 FEB 2005 



UNIVERSAL CALCULATION METHOD APPLIED TO POINTS ON 
AN ELLIPTIC CURVE DEFINED BY A QUART IC, AND ASSOCIATED 
CRYPTOGRAPHIC METHOD AND ELECTRONIC COMPONENT 

5 The present invention concerns a universal 

calculation method applied to points on an elliptic 
curve, and an electronic component comprising means of 
implementing such a method. The invention is in 
particular applicable for the implementation of 
10 cryptographic algorithms of the public key type, for 
example in smart cards. 

Public key algorithms on an elliptic curve allow 
cryptographic applications of the ciphering, digital 
15 signature, authentication, etc. type. 

They are in particular much used in applications 
of the smart card type, since they make it possible to 
use keys of short length, permitting fairly short 
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processing times, and they may not require the use of 
cryptoprocessors for their implementation, which 
reduces the production cost of the electronic 
components in which they are implemented. 

5 

Before going further, a few reminders about 
elliptic curves should be given first of all. 

10 The points on an elliptic curve are defined over 

a field and form an Abelian group <E(1Q, in which the 
group operation is the addition of points denoted +, 
and where a neutral element denoted O is distinguished. 

15 For a finite field, the cardinal of <E(K) is finite. 

There therefore exists for any point P an integer m 
such that: 

0=m.P=P+P+ ... + P, m times 

20 

and such that, for any integer k < m, k.P ^ O. 
Such an integer m is referred to as the order of P. In 
this case, m divides the cardinal of 

25 Certain curves have particular properties. For 

example, an elliptic curve having a point of order two 
has a cardinal divisible by 2. Or, an elliptic curve 
having a point of order three is a curve such that the 
cardinal of the group <E(7Q is divisible by 3. Curves 
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having the same particular property are grouped 
together in the same family. 

A point on an elliptic curve can be represented 
5 by several types of coordinate, for example by affine 
coordinates or Jacobi projective coordinates. 

Various models exist for defining an elliptic 
curve applicable in cryptography. A commonly used model 
10 is. the so-called Weierstrass model. The Weierstrass 
« model is very general since any elliptic curve can come 
under this model. 

Each model can be used by means of the different 
15 types of coordinate. 

For example, in affine coordinates and where the 
characteristic p of the field % is different from 2 and 
3, the Weierstrass model is defined as follows: the 
20 neutral point O (the point at infinity in the 
Weierstrass model) and the set of points (X, Y) % 7C X ^C 
satisfying the equation: 

E/3C : Y 2 = X 3 + a*X + b 

25 (Fl) 

with a, b x K such that 4a 3 + 27b 2 * 0, form the 
group of rational points on an elliptic curve ^(K). The 
point P can also be represented by Jacobi projective 
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coordinates of the general form (U, V, W) . (X, Y) and 
(U, V, W) are linked by the following equations: 

X = U/W and Y = V/W 2 

5 (F2) 

With these Jacobi projective coordinates, the 
Weierstrass equation of an elliptic curve becomes: 

10 E/7C : V 2 = U 3 + a*UW 4 + b*W 6 

(F3) 

Projective coordinates are in particular 
advantageous in exponentiation calculations applied to 
15 points on an elliptic curve, since they do not comprise 
any inversion calculations in the field. 

As shown by the formula F2, one and the same 
point has several possible representations in Jacobi 
20 projective coordinates. Also, the following equivalence 
relationship is defined over \ {(0, 0, 0)}: two 

elements, with coordinates (U, V, W) and (U' , V , W ) , 
are referred to as equivalent and belong to the same 
equivalence class if and only if there exists a non- 
25 null element X of % such that 



(U' , V , W ) = XU, X 2 V, XVI) 

(F4) 



J 
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The coordinates of an element of this class are 
denoted (U : V : W) . 



5 According to the model which defines the elliptic 

curve and according to the coordinates used for 
working, different formulae for addition, subtraction 
and doubling of points are applicable. In the case of 
the Weierstrass model, such formulae are known and 
10 given by the well-known secant and tangent rule. 



In the example of an elliptic curve E given by a 
Weierstrass model in affine coordinates over a field 
with characteristic different from 2 and 3, the 
15 simplest formulae for addition, subtraction and 
doubling of points are as follows. 

The inverse of a point PI = (XI, Yl) on the curve 
E is the point -PI = (X lf Y x ) with 

20 

Yl = -Yl 

(F5) 

The operation of addition of points PI with 
25 coordinates (XI, Yl) and P2 with coordinates (X2, Y2) 
on this curve, with PI ^ -P2, gives the point P3 - PI + 
P2 whose coordinates (X3, Y3) are such that: 
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X3 = X 2 - XI - X2 
(F6) 
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Y3 = A,x(Xl-X3) - Yl, 

(F7) 

5 with 

X = (Y1-Y2) / (X1-X2) , if PI * P2 

(F8) 

10 X = (3xXl 2 +a) / (2xYl) , if PI = P2 

(F9) 

The formula F8 is used for adding two distinct 
points (P3 = PI + P2) whilst the formula F9 is used for 
15 a point doubling operation (P3 = 2xPl) . 

The formulae F6 to F9 are not valid when PI 
and/or P2 is equal to the neutral point O. Most often, 
in practice, an operation of the type P3 = PI + O is 

20 not carried out. More simply, before an addition 
operation of the type P3 = PI + P2 is carried out, it 
is tested whether at least one of the points is equal 
to the neutral O. The operation P3 = PI is then carried 
out if PI = O or the operation P3 = P2 is carried out 

25 if P2 = O. 

The operations of addition or subtraction, or 
doubling of a point, and the operation of addition of 
the neutral are the basic operations used in scalar 
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multiplication algorithms on elliptic curves: given a 
point PI belonging to an elliptic curve E and d a 
predetermined number (an integer) , the result of the 
scalar multiplication of the point PI by the number d 
5 is a point P2 on the curve E such that P2 = dxPl = PI + 
PI + . . . + PI, d times. It should be noted that, if PI 
is of order n, then nxPl = O, (n+l)xPl = Pl + O = PI, 
etc. , O being the neutral point. 

Public key cryptographic algorithms on an 
elliptic curve are based on the scalar multiplication 
of a selected point PI on the curve by a predetermined 
number d, a secret key. The result of this scalar 
multiplication dxPl is a point P2 on the elliptic 
curve. In an example of application to ciphering 
according to the El Gamal method, the point P2 obtained 
is the public key which is used for the ciphering of a 
message . 

20 The calculation of the scalar multiplication P2 = 

dxPl can be carried out by various algorithms. A few of 
them can be cited, such as the double and add algorithm 
based on the binary representation of the multiplier d, 
the so-called "addition/subtraction" algorithm based on 

25 the signed binary representation of the multiplier d, 
the window algorithm, etc. 
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All these algorithms use the formulae for 
addition, subtraction, doubling and addition of the 
neutral defined on elliptic curves. 

5 However, these algorithms prove to be sensitive 

to attacks aiming to discover in particular the value 
of the secret key d. There can be cited in particular 
the simple or differential covert channel attacks. 

10 Simple or differential covert channel attack 

means an attack based on a physical quantity measurable 
from outside the device, and whose direct analysis 
(simple attack) or analysis according to a statistical 
method (differential attack) makes it possible to 

15 discover information contained and manipulated in 
processing in the device. These attacks can thus make 
it possible to discover confidential information. These 
attacks have in particular been disclosed in Dl (Paul 
Kocher, Joshua Jaffe and Benjamin Jun. Differential 

20 Power Analysis. Advances in Cryptology - CRYPTO' 99, 
vol. 1666 of Lecture Notes in Computer Science, pp. 
388-397. Springer-Verlag, 1999). Amongst the physical 
quantities which can be exploited for these purposes, 
there can be cited the execution time, the current 

25 consumption, the electromagnetic field radiated by the 
part of the component used for executing the 
calculation, etc. These attacks are based on the fact 
that the manipulation of a bit, that is to say its 
processing by a particular instruction, has a 

30 particular impression on the physical quantity in 
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question according to the value of this bit and/or 
according to the instruction. 

In the cryptographic systems based on elliptic 
5 curves, these attacks aim to identify an operation (for 
example an addition of points of the type P3 = PI + P2, 
an addition of the type P3 = PI + O, or a scalar 
multiplication of the type P3 = d*Pl) in a set of 
operations carried out successively. 

10 

If the example of a scalar multiplication 
algorithm on elliptic curves with the Weierstrass model 
is taken, this algorithm may be sensitive to simple 
covert channel attacks, since the basic operations of 
15 doubling of points, addition of points or addition of 
the neutral point are substantially different as shown 
by the calculation of lambda in the formulae F8 and F9 
above . 

20 It is therefore necessary to provide 

countermeasure methods making it possible to prevent 
the various attacks from prospering. In other words, it 
is necessary to make the scalar multiplication 
algorithms secure . 

25 

For this, from D2 (Eric Brier and Marc Joye . 
Weierstrass elliptic curves and side-channel attacks. 
In D. Naccache, editor, Public Key Cryptography, volume 
30 2274 of Lecture Notes in Computer Science, pages 335- 
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345. Springer-Verlag, 2002), a single formulation for a 
doubling of points operation and an addition of points 
operation is known. Thus, the two operations can no 
longer be differentiated by a covert channel attack. 
5 This formulation however has the drawback of not being 
valid for carrying out an operation of addition of the 
neutral point. 

From D3 (Pierre-Yvan Liardet and Nigel P. Smart. 
Preventing SPA/DPA in ECC systems using the Jacobi 
form. In C.K.Kog, D. Naccache, and C. Paar, editors, 
Cryptographic Hardware and Embedded Systems - CHES 
2001, volume 2162 of Lecture Notes in Computer Science, 
pages 391-401. Springer-Verlag, 2001), a single 
formulation for an addition operation and a doubling of 
points operation is also known. This formulation 
however is applicable only within the context of an 
elliptic curve having three points of order 2. 
Moreover, the formulation proposed in D3 requires 
considerable memory space in order to be implemented 
since the points are stored with four coordinates. This 
is not easily compatible with a smart card type 
application . 

25 From D4 (Marc Joye and Jean- Jacques Quisquater. 

Hessian elliptic curves and side-channel attacks. In 
C.K.Kog, D. Naccache, and C. Paar, editors, 
Cryptographic Hardware and Embedded Systems - CHES 
2001, volume 2162 of Lecture Notes in Computer Science, 

30 pages 402-410. Springer-Verlag, 2001), a single 
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formulation for an addition operation and a doubling of 
points operation is also known. However, this 
formulation is applicable solely to elliptic curves 
having a point of order three. 

5 

D3 and D4 do not mention the problem of addition 
of the neutral. 

10 One aim of the invention is to propose a solution 

for protection against covert channel attacks, in 
particular SPA attacks, which is more efficient than 
the solutions already known. 

15 Another aim of the invention is to propose a 

solution which can be implemented in a circuit having 
not much memory space available, with a view for 
example to a smart card type application. 

20 These objectives are achieved in the invention by 

a single formulation making it possible to carry out an 
addition of two distinct points, a doubling of points, 
and an operation of addition of the neutral. The said 
formulation according to the invention is moreover 

25 minimal: thus the number of operations to be performed 
and the memory space necessary for its implementation 
are limited. 
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Thus, the invention concerns a method of 
universal calculation on points on an elliptic curve. 
According to the invention, the elliptic curve is 
defined by a quartic equation and identical programmed 
5 calculation means are used to carry out an operation of 
addition of points, an operation of doubling of points, 
and an operation of addition of a neutral point, the 
calculation means comprising in particular a central 
processing unit associated with a memory. 

10 

In other words, according to the invention, the 
use of a model of the elliptic curve in the form of a 
quartic (that is to say a 4 th degree polynomial ) makes 
it possible to use a single formulation for carrying 
15 out operations of addition of points, point doubling 
and addition of the neutral point of the curve. 

It then becomes impossible to distinguish one of 
these operations from the others by an attack such as a 
20 covert channel attack. 

Furthermore, the use of a model of the curve in 
quartic form makes it possible to represent a point by 
means of only 3 projective coordinates, which limits 
25 the memory space necessary for storing the coordinates 
of a point and reduces the calculation times during 
operations on points. 



30 



Finally, as will be seen more clearly in 
examples, the single formulation obtained according to 
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the invention for carrying out three types of addition 
(addition of two distinct points, doubling of points 
and addition of the neutral) uses a limited number of 
elementary operations of multiplication type, which 
5 further limits the calculation times and memory space 
necessary. 

The invention also concerns the use of a 
10 universal calculation method as described above, in a 
scalar multiplication calculation method applied to 
points on an elliptic curve, and/or in a cryptographic 
method. 

15 The invention also concerns an electronic 

component comprising programmed calculation means for 
implementing a universal calculation method as 
described above or a cryptographic method using the 
above universal calculation . method. The calculation 

20 means comprise in particular a central processing unit 
associated with a memory. 

Finally, the invention also concerns a smart card 
comprising the above electronic component. 

25 

The invention and the advantages ensuing 
therefrom will emerge more clearly from a reading of 
the following description of particular example 
30 embodiments of the invention, given on a purely 
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indicative basis and with reference to the single 
accompanying figure. This depicts in block diagram form 
an electronic device 1 capable of carrying out 
cryptographic calculations . 

5 

In the following examples, the device 1 is a 
smart card intended to execute a cryptographic program. 
To that end, the device 1 combines, in a chip, 
programmed calculation means, consisting of a central 
10 processing unit 2 functionally connected to a set of 
memories including: 

- a memory 4 accessible in read mode only, in the 
example of the mask ROM (mask read-only memory) type; 

15 

an electrically re-programmable memory 6, in 
the example of the EEPROM (electrically erasable 
programmable ROM) type; and 

20 - a working memory 8 accessible in read mode and 

write mode, in the example of the RAM (random access 
memory) type. This memory comprises in particular 
calculation registers used by the device 1. 

25 The executable code corresponding to the scalar 

multiplication algorithm is contained in program 
memory. This code can in practice be contained in 
memory 4, accessible in read mode only, and/or in 
rewritable memory 6. 
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The central processing unit 2 is connected to a 
communication interface 10 which provides the exchange 
of signals with regard to the outside and the power 
supply for the chip. This interface can comprise pads 
5 on the card for a so-called "contact" connection with a 
reader, and/or an antenna in the case of a so-called 
M contact less" card . 

One of the functions of the device 1 is to cipher 
10 or decipher a confidential message m respectively 
transmitted to, or received from, the outside. This 
message may concern for example personal codes, medical 
information, accounting on banking or commercial 
transactions, authorisations for access to certain 
15 restricted services, etc. Another function is to 
calculate or verify a digital signature. 

In order to carry out these functions, the 
central processing unit 2 executes a cryptographic 
20 algorithm on programming data which are stored in the. 
mask ROM 4 and/or EEPROM 6 parts. 

The algorithm used here is a public key algorithm 
on an elliptic curve within the context of a model in 
25 the form of a quartic. The concern here will more 
precisely be with a part of this algorithm, which makes 
it possible to carry out basic operations, that is to 
say addition operations: addition of two distinct 
points, of two identical points (that is to say an 
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operation of doubling of a point) , or of any point 
whatsoever and the neutral point. 

It should be noted that, according to the 
invention, these three operations are carried out using 
the same formulation and are therefore not 
distinguishable from one another from the outside for a 
simple covert channel attack. 

Within the context of the invention, the concern 
is with the elliptic curve models defined by a quartic 
equation instead of the Weierstrass cubic equation 
usually used. 

The general form of a quartic, in affine 
coordinates, is given by the equation: 

Y 2 = aO.X 4 + al.X 3 + a2.X 2 + a3.X + a4 
(F10) 

or, in Jacobi projective coordinates, by the 
equation : 

V 2 = aO.U 4 + al.U 3 W + a2 . U 2 W 2 + a3.UW 3 + a4W 4 
(Fll) 

knowing that the affine coordinates and the 
Jacobi projective coordinates of the same point are 
linked by the relationship: 
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(X, Y) = (U/W, V/W 2 ) 

(F12) 



In a first example embodiment of the invention, 
any elliptic curve whatsoever is considered, and an 
operation of the type P3 = P1 + P2 is carried out, with 
PI, P2 any two points whatsoever on the elliptic curve. 
10 P2 can be different from PI, equal to PI and/or equal 
to the neutral O of the curve. The addition operation 
is carried out in Jacobi projective coordinates. 
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It is shown that any curve with equation 

Y 2 = X 3 + a.X + b (Weierstrass equation) 

is birationally equivalent to a curve with 
equation 

Y 2 = b.X 4 + a.X 3 + X 

(F13) 



The equation F13 is ultimately a particular case 
25 of the equation F10, with a0=b, al=a, a2=0, a3=l, a4=0. 

Using the equivalence relationships F12, it is 
shown that the equation F13 can also be written, in 
Jacobi projective coordinates: 

30 



10 
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V 2 = b.U 4 + a.U 3 W + UW 3 

(F14) 

When the scalar multiplication calculation device 
is called upon to carry out an addition operation, the 
central processing unit 2 first of all stores in 
calculation registers the coordinates (Ul : VI : Wl) 
and (U2 : V2 : W2) of the points PI, P2 on the elliptic 
curve which are to be added. 

The central processing unit 2 next calculates the 
coordinates of the point P3 according to the equations: 



U3 = 2.b.Ul 2 .U2 2 

15 + (aUl.U2 + W1.W2) . (U1.W2+W1.U2) + 

2V1.V2 (F15) 

V3 = (Ul 2 . V2+U2 2 . VI) * 

(4b. (U1.W2+U2.W1) .W1.W2 
20 - 8b 2 . (U1.U2) 2 

+ a.[(2Wl.W2) 2 - (aUl.U2+Wl.W2) 2 ] 
+ (Wl 2 . V2+W2 2 .V1) * 

[ (aUl.U2+Wl.W2) 2 -(2aUl.U2) 2 + 
4bUl.U2. (W1.U2+U1.W2) ] 
25 - 4bUl.U2. (U1.W1.V2+U2.W2.V1) (aUl . U2-W1 . W2) 

(F16) 
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W3 = (aUl.U2-Wl.W2) 2 - 4bUl.U2 (U1.W2+U2.W1) 
(F17) 
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The coordinates (U3 : V3 : W3) of the point P3 
are finally stored in registers in the working memory 
8, in order to be used elsewhere, for example for the 
remainder of the ciphering algorithm. 

5 

It is verified that the formulae F15 to F17 are 
valid, even in the case where PI = P2 (point doubling) 
or in the case where P2 = O (0 : 0 : 1) (addition of 
the neutral) . 

10 

In a second example embodiment of the invention, 
an elliptic curve having a single point of order two 
with affine coordinates (9, 0) is considered, and an 
15 operation of the type P3 = P1 + P2 is carried out, with 
PI, P2 any two points whatsoever on the elliptic curve. 
P2 can be different from PI, equal to PI and/or equal 
to the neutral O of the curve. The addition operation 
is given in Jacobi projective coordinates. 

20 

The point of order two satisfying the Weierstrass 
equation defining the elliptic curve, 0, is defined by 
the equation: 

25 0 3 + a.0 + b = 0 

It is then shown that any curve with equation 
Y 2 = X 3 + a.X + b (Weierstrass equation) 

30 



and having a single point (0, 0) of order two is 
birationally equivalent to a curve with equation 



Y 2 = 8.X 4 - 28.X 2 + 1 



(F18) 



with: 



e - - (a+39 2 



/4) /4 and 5 = 



30/4 



(F19) 



The equation F18 is ultimately a particular case 
of the equation F10, with a0=e, al=0, a2=-25, a3=0, 
a4=l. 

Using the equivalence relationships F12, it is 
shown that the equation F18 can also be written, in 
Jacobi projective coordinates: 



The change from the cubic model Y 2 = X 3 + aX + b 
to the quartic model Y 2 = e.X 4 - 25. X 2 + 1 is performed 
by the following transformations: 



V 2 = s.X 4 - 28.U 2 X 2 + W 4 



(F20) 



Weierstrass 



Quartic 



model 



model 



(0, 0) 



§ (0 : -1 : 1) 
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Y) 



(X, Y) ^ (2(X-9) : (2X+8) (X-0) 2 -Y 2 

O £, (0:1:1) 

Quartic Weierstrass 

model model 

(0:1:1) % O 

(0 : -1 : 1) § (9, 0) 



15 (U : V : W) § (2 (V+W 2 ) /U 2 - 6/2, 

W (4V+4W 2 -3GU 2 ) U 3 ) 

There are defined for this quartic model the 
neutral point O (0 : 1 : 1) and the inverse point of 
20 the point P (U : V : W) by the point -P (-0 : V : W) . 

When the exponentiation calculation device is 
called upon to carry out an addition operation, the 
central processing unit 2 first of all stores in 
25 calculation registers the coordinates (Ul : VI : Wl) 
and (U2 : V2 : W2) of the points PI, P2 on the elliptic 
curve which are to be added. 
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The central processing unit 2 next calculates the 
coordinates of the point P3 according to the equations: 

U3 = U1.W1.V2 + V1.U2.W2 
5 (F21) 

V3 = [(W1.W2) 2 + e(Ul.U2) 2 ] 
* [VI. V2- 

25U1.U2.W1.W2] +2e.Ul .U2.W1.W2 (U1 2 W2 2 +W1 2 U2 2 ) (F22) 

10 

W3 = (W1.W2) 2 - 8(U1.U2) 2 
(F23) 

The coordinates (U3 : V3 : W3) of the point P3 
15 are finally stored in registers in the working memory 
8, in order to be used elsewhere, for example for the 
remainder of the ciphering algorithm. 

Here again it is verified that the formulae F21 
20 to F23 are valid, even in the case where PI = P2 (point 
doubling) or in the case where P2 = O (addition of the 
neutral) . 

25 In the third example embodiment of the invention, 

a particular case of the second example is considered, 
in which the elliptic curve has three points of order 
two and is such that e = 1. Also, an operation of the 
type P3 = P1 + P2 is carried out, with PI, P2 any two 
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points whatsoever on the elliptic curve. P2 can be 
different from PI, equal to PI and/or equal to the 
neutral O of the curve. The addition operation is given 
in Jacobi projective coordinates for the model U 4 - 
5 25.U 2 .W 2 + W4 corresponding to the affine model Y 2 = X 4 + 
25.X 2 + 1. 

The equation F24 is ultimately a particular case 
of the most general equation F10, with aO = 1, al = 0, 
10 a2 = -25, a3 = 0, a4 = 1. 

When the exponentiation calculation device is 
called upon to carry out an addition operation, the 
15 central processing unit 2 first of all stores in 
calculation registers the coordinates (Ul : VI : Wl) 
and (U2 : V2 : W2) of the points PI, P2 on the elliptic 
curve which are to be added. 

20 The central processing unit 2 next calculates the 

coordinates of the point P3 according to the equations: 

U3 = U1.W1.V2 + V1.U2.W2 
(F27) 

25 

V3 = [ (W1.W2) 2 + (U1.U2) 2 ] 
* [VI. V2- 

25U1.U2 .W1.W2] +2U1.U2 .W1.W2 (Ul 2 W2 2 +Wl 2 U2 2 ) (F28) 
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W3 = (W1.W2) 2 - (U1.U2) 2 
(F29) 

The coordinates (U3 : V3 : W3) of the point P3 
5 are finally stored in registers in the working memory 
8, in order to be used elsewhere, for example for the 
remainder of the ciphering algorithm. 

Here again it is verified that the formulae F27 
10 to F29 are effective, even in the case where PI = P2 
(point doubling) or in the case where P2 = O (addition 
of the neutral) . 

15 From a practical implementation point of view, 

the formulae F27 to F29 can be implemented as follows: 

rl p ul.u2 

20 r2 p wl.w2 

r3 p rl.r2 

r4 p vl.v2 

25 

r5 p ul.wl + vl 



r6 p u2.w2 + v2 



10 



20 



25 



25 

u3 p r5.r6 - r4-r3 
w3 p (r2-rl) . (r2+rl) 
r6 p 5*r3 
r4 p r4 - 2.r6 



r6 p (r2+rl) 2 -2r3 



r4 p r4.r6 

r6 p (ul+wl) . (u2+w2) -rl-r2 



15 r5 p r6 2 - 2r3 



r6 p r5.r3 

v3 p r4 + 2.r6 



where ul, vl, wl, u2, v2, w2, u3, v3, w3 are 
calculation registers in which the projective 
coordinates of the points PI, P2 and P3 are stored, and 
rl to r6 are temporary calculation registers. 

Thus, according to this embodiment, the 
coordinates of the point P3 are obtained in a time 
equal to approximately 13 times the time for carrying 
out a multiplication of the contents of two registers + 
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one times the time for carrying out a multiplication of 
the contents of a register by a constant. The time for 
calculating the coordinates of P3 by means of the 
formulation according to the invention is thus much 
5 shorter than the time for calculating the coordinates 
of P3 by means of a formulation such as those of the 
prior art. 

It should be noted that this approximation is 
10 entirely realistic since the time for carrying out a 
multiplication of the contents of a register by a 
constant or a multiplication of the contents of two 
registers is in practice very much longer than the time 
for carrying out an addition of the contents of two 
15 registers. 

This is also true in the case of implementation 
of the formulae F15-F17 or F21-F23. 

20 

In a fourth example embodiment of the invention, 
an elliptic curve having a single point of order two 
with affine coordinates (0, 0) is considered, and an 
operation of the type P3 = P1 + P2 is carried out, with 
25 PI, P2 any two points whatsoever on the elliptic curve. 

P2 can be different from PI, equal to PI and/or equal 
to the neutral O of the curve. 

As was seen in the second example: 



30 



27 



e 3 + a .e+b=o 

The curve with Weierstrass equation 
5 Y 2 = X 3 + a.X + b 

and having a single point (0, 0) of order two is 
birationally equivalent to a curve with equation 

10 Y 2 = s.X 4 - 25.X 2 + 1 

(F18) 

with: 

15 s = -(a+39 2 /4)/4 and 5 = 39/4 

(F19) 

In this example, the addition operation is given 
in affine coordinates. 

20 

When the exponentiation calculation device is 
called upon to carry out an addition operation, the 
central processing unit 2 first of all stores in 
calculation registers the coordinates (XI, Yl) and (X2, 
25 Y2) of the points PI, P2 on the elliptic curve which 
are to be added. 



The central processing unit 2 next calculates the 
coordinates of the point P3 according to the equations: 
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X3 = (XI. Y2 + Y1.X2)/[1 - S(X1.X2) 2 ] 
(F30) 

Y3 = { [l+e(Xl.X2) 2 ] . [Yl. Y2 

28.Xl.X2]+2e.Xl.X2. (Xl 2 +X2 2 ) } 

/ [1 - s(Xl.X2) 2 ] 

(F31) 

The coordinates (X3, Y3) of the point P3 are 
finally stored in registers in the working memory 8, in 
order to be used elsewhere, for example for the 
remainder of the ciphering algorithm. 

Here again it is verified that the formulae F30 
to F31 are valid, even in the case where PI = P2 (point 
doubling) or in the case where P2 = O (addition of the 
neutral) . 



